Hello community, here is the log from the commit of package seamonkey for openSUSE:Factory checked in at 2016-08-09 22:15:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/seamonkey (Old) and /work/SRC/openSUSE:Factory/.seamonkey.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "seamonkey" Changes: -------- --- /work/SRC/openSUSE:Factory/seamonkey/seamonkey.changes 2016-08-03 11:43:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.seamonkey.new/seamonkey.changes 2016-08-09 22:15:39.000000000 +0200 @@ -1,0 +2,14 @@ +Mon Aug 8 09:19:46 UTC 2016 - wr@rosenauer.org + +- build with -fno-delete-null-pointer-checks for Tumbleweed/gcc6 + as long as underlying issues have been addressed upstream + (boo#991027) + +------------------------------------------------------------------- +Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com + +- Fix for possible buffer overrun (bsc#990856) + CVE-2016-6354 (bmo#1292534) + [mozilla-flex_buffer_overrun.patch] + +------------------------------------------------------------------- New: ---- mozilla-flex_buffer_overrun.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ seamonkey.spec ++++++ --- /var/tmp/diff_new_pack.bEE405/_old 2016-08-09 22:15:45.000000000 +0200 +++ /var/tmp/diff_new_pack.bEE405/_new 2016-08-09 22:15:45.000000000 +0200 @@ -91,6 +91,8 @@ Patch9: mozilla-reduce-files-per-UnifiedBindings.patch Patch10: mozilla-gcc6.patch Patch100: seamonkey-ua-locale.patch +# hotfix +Patch150: mozilla-flex_buffer_overrun.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh coreutils Provides: seamonkey-mail = %{version} @@ -198,6 +200,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch150 -p1 popd # comm patches %patch100 -p1 @@ -216,6 +219,9 @@ export MOZILLA_OFFICIAL=1 export BUILD_OFFICIAL=1 export CFLAGS="%{optflags} -fno-strict-aliasing" +%if 0%{?suse_version} > 1320 +export CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" +%endif %ifarch %arm export CFLAGS="${CFLAGS/-g / }" %endif ++++++ mozilla-flex_buffer_overrun.patch ++++++ # HG changeset patch # Parent c8e8364b303892fdb5a574b96411d2d8f699a15e Patch lexical parser files generated by flex which may be potentially exploitable in a buffer overrun. These seem to come from an upstream projects (CMU Sphinx and ANGLE) so it should be fixed there in the first place. CVE-2016-6354 https://bugzilla.suse.com/show_bug.cgi?id=990856 diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp --- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp @@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp --- a/gfx/angle/src/compiler/translator/glslang_lex.cpp +++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp @@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c --- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c @@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;